log4j Upgrade - Githubissues

awslabs / dynamodb-streams-kinesis-adapter

The Amazon DynamoDB Streams Adapter implements the Amazon Kinesis interface so that your application can use KCL to consume and process data from a DynamoDB stream.

Apache License 2.0

99 stars 37 forks source link

log4j Upgrade #49

Closed elbrujohalcon closed 2 years ago

elbrujohalcon commented 2 years ago

This package ships with version 2.13.3 of log4j-core and log4j-api. A vulnerability was discovered recently affecting those versions. Would it be possible to produce a new release that ships with the newest versions of them?

aggarwal commented 2 years ago

dynamodb-streams-kinesis-adapter-1.5.3 does not have a direct dependency on log4j. It depends on amazon-kinesis-client-1.13.3, which has a direct test dependency on log4j-1.2.17, which is not vulnerable to the CVE-2021-44228.

How are you picking up 2.13.3 in your dependency closure?

elbrujohalcon commented 2 years ago

You're right. It was my bad. I was picking up test dependencies incorrectly.